From: Victor Duchovni on
On Fri, Jan 22, 2010 at 10:40:03AM -0600, Stan Hoeppner wrote:

> Kenneth Marshall put forth on 1/22/2010 8:39 AM:
> > pdns-recursor is easy to configure/use and has a tuneable
> > resource footprint.
> Got her installed, configured, up and running. Let's see if this improves this
> spamhaus situation, and a handful a day of other dns related errors I've been
> getting during mail transactions. Those other errors may be normal, maybe not.
> This resolver should help me figure that out.
> I limited the cache to 65536 entries to start with to keep the ram footprint
> low.

You can probably drop it even lower to ~8K entries, without significant
impact on cache effectiveness, this is a single host cache for a low
query volume host, not a recursive cache for a large network.


Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

From: Larry Stone on
On Fri, 22 Jan 2010, Stan Hoeppner wrote:

> My venting should be aimed at Spamhaus. What they've done here is the opposite
> of transparency. In the case of Google DNS, Spamhaus has pulled something a bit
> underhanded in my estimation. They don't want people using Google DNS to query
> Spamhaus zones. That's fine. I have no problem with that. But the way in
> which they have blocked access creates a silent discard on mail servers using
> Google DNS, or at least Postfix (I can't speak for other MTAs in this regard).

> What they should have done is reply with a code that actually generates a
> visible log error, so an admin, such as myself, can actually see that something
> is wrong. Instead, all I got from my logs was silence. Multiple months of that
> deafening silence finally prompted my action as I knew there had to be something
> wrong.

This is getting away from Postfix so I'll keep this part short but I'll
take the opposite side. For Spamhaus to reply with anything other than
NXDOMAIN risked some MTA rejecting the mail. For those resolvers they, for
whatever reason, do not want to serve, a response that says "accept the
mail" is the only logical response. Anything other than that or a specific
reject reason (as encoded in a NXDOMAIN response) is undefined and could
cause some MTA to incorrectly reject the mail.

When I first set up asking RBL lists, I periodically checked the logs to
make sure they were working. Even today, I have a weekly cron job that
gives me a report of RBL effectiveness (it's real crude - a simple grep
piped to wc -l) and mails it to me. I don't trust that I have anything
setup correctly until I see proof in my logs.

-- Larry Stone